PCI DSS QSA, ISA and Iron Man 2

Once upon a time, a PCI SSC member sat down watching the Iron Man sequel in cinema called Iron Man 2. Quite impressed by the character Ivan Vanko (played by Mickey Rourke), an idea struck to create a vaguely similar character for the QSA, and name it ISA. Internal employee will go through the PCI SSC ISA training and interpret the standard to create something called the ‘ISA jacket’. At the same time, somewhere in the world or locally, a QSA Company is busy creating a QSA who is working on the ‘QSA jacket’. When being assessed, the internal employee will wear the 'ISA jacket' to protect the assessed environment when QSA comes donning the ‘QSA jacket’. This jacket will also be useful when doing self assessments. There may be sparks when the two jackets meet, but the assessed organisation is intended to benefit. However, this ISA jacket doesn’t come cheap so organisations beware!

New questions will be raised, arguments discussed and hopefully clarified and agreed with the intent to improve the security of the organisations – this is exactly what both jackets were created to achieve, stop the bad guys! Having thought of this again, the ISA seems more of the James Rhodes’ character played by Don Cheadle. Ivan Vanko (use Russian accent from here) is more like the Albert Gonzalez’s of the real world. :)

More ISA info here: https://www.pcisecuritystandards.org/education/isa_training.shtml

Change control, security and PCI DSS

A recent change control question by a colleague, observations over the past year with two clients and PCI DSS related blog coverage prompts me to write this post.

The change control processes followed by the two clients, although implemented and in place could not be more different. One had a mature process with Change Management framework in place with Change Analysts reviewing the requests in the queue, with the awareness necessary to allocate these request on to the right business function for assessment/approval using a relatively mature tool that aided the process. The processes around regular reviews of Changes by key stakeholders were also in place to discuss the requests. The other client had an in-house tool developed to log and track requests. However, the framework on managing the requests was very weak with the Change management team not fully understanding the business and also not aware of who to assign the change to or when to close the request.

PCI DSS covers Change Control related requirements primarily in 6.4 but it seems CC is not given the emphasis that is needed in the security community probably because it is seen more as a service management function. I believe in the below Security Programme Life Cycle diagram and I have come across discussions around this in blog posts quite frequently. Business environments change for various reasons and a good Change Control framework is not only important for agility and adaptiveness of the business but also for the benefit of Security management to maintain the security posture of the environment and in cases improve it too!

SIEM Musings - Part 1

The intent of this post is to provide the reader with the 'Then and Now' view of the SIEM market by using Gartner MQs over the past few years. As the first post of the blog, I also cover how logging and SIEM in general have interested me over these years.

History

It started as an internal project to create a log collection server with one of my previous employers. I was tasked with a challenge to create an easy to deploy, open source and, of course, secure logging solution that essentially acted as a syslog server, within six months. Using Debian LiveCD (Knoppix), SE Linux, VMWare and guidance from @craigbalding, the race against time began to create this extremely light, hardened and secure image that will be used as a cheap and easy syslog server to whoever who wants to deploy one in their business. Obviously, questions came up around what to log, how to log, when to log, why to log etc. Some areas were covered, some were missed and after a many weeks of hard work, the project was delivered. Although it was just a small step in the right direction for the organisation, the biggest benefit for me was the first-hand experience of developing an alpha 'log management' tool and of challenges around acceptance of such a solution in various shapes and sizes of business.

Following this, a project followed to select a mature product that offer the SIEM capabilities. This was in 2006 and I got my hands on, what I believe, the first Gartner SIEM MQ for 1H06.

Since then, I have been studying these reports closely, looking at the developments in the products, deploying some of these products and also working with businesses in various industry sectors to reap benefits from the logging solution of choice.

SIEM MQs

So, below are the MQs from 2006, 2008, 2009 and most recently 2010.

And, below is a quick tabular assessment of the above MQs. This may give an idea on how the vendors have fared over the years in the eyes of Gartner analysts with their definition of SIEM. The vendors in green font have appeared in all 4 MQs, not necessarily in the same quadrant. Pardon the colour selection :).

Hopefully, the above should provide businesses who are in the process of SIEM vendor selection a quick snapshot of where vendors are positioned in the MQ and their journeys within.

Personally, I take MQ as a good starting point for vendor selection/assessment but it certainly shouldn't be the end or focus of it. As most product selection goes, this is a multiobjective optimization problem. Businesses have various constraints to make this selection against like cost, compliance, operations, incident response, audit, etc.

In the next post, I would like to focus on vendor movements in the MQ and whether these movements makes sense. Probably, this may lead to the science behind MQ, who knows!;) What I am really interested to know is whether these movements are actually experienced by the organisations who use these products e.g. someone using Q1Labs since 2006.

Thank you @rockyd for pointing me to 2010 MQ.